[refpolicy] [PATCH 2/2] contrib: new libmtp module

Dominick Grift dac.override at gmail.com
Sun May 14 10:53:26 UTC 2017


On Sun, May 14, 2017 at 12:46:21AM +0200, Christian Göttsche via refpolicy wrote:
> 2017-05-13 23:15 GMT+02:00 Guido Trentalancia via refpolicy
> <refpolicy at oss.tresys.com>:
> > This is the contrib part of the policy needed to support libmtp (an
> > Initiator implementation of the Media Transfer Protocol).
> >
> > Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
> > ---
> >  policy/modules/contrib/libmtp.fc |    3 +
> >  policy/modules/contrib/libmtp.if |   30 +++++++++++++++++++
> >  policy/modules/contrib/libmtp.te |   61 +++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 94 insertions(+)
> >
> > --- a/policy/modules/contrib/libmtp.fc  1970-01-01 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/libmtp.fc  2017-05-13 21:37:57.529042530 +0200
> > @@ -0,0 +1,3 @@
> > +HOME_DIR/\.mtpz-data   --      gen_context(system_u:object_r:libmtp_home_t,s0)
> > +
> > +/usr/bin/mtp-(.*)?     --      gen_context(system_u:object_r:libmtp_exec_t,s0)
> 
> This regex seems a bit odd to me.
> Maybe "/usr/bin/mtp-[^/]+" or "/usr/bin/mtp(-.+)?"
> 
> > --- a/policy/modules/contrib/libmtp.if  1970-01-01 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/libmtp.if  2017-05-13 21:21:58.102046453 +0200
> > @@ -0,0 +1,30 @@
> > +## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
> > +
> > +###########################################################
> > +## <summary>
> > +##     Role access for libmtp.
> > +## </summary>
> > +## <param name="role">
> > +##     <summary>
> > +##     Role allowed access.
> > +##     </summary>
> > +## </param>
> > +## <param name="domain">
> > +##     <summary>
> > +##     User domain for the role.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`libmtp_role',`
> > +       gen_require(`
> > +               attribute_role libmtp_roles;
> > +               type libmtp_t, libmtp_exec_t;
> > +       ')
> > +
> > +       roleattribute $1 libmtp_roles;
> > +
> > +       domtrans_pattern($2, libmtp_exec_t, libmtp_t)
> > +
> > +       allow $2 libmtp_t:process { ptrace signal_perms };
> > +       ps_process_pattern($2, libmtp_t)
> 
> admin_process_pattern
> 
> > +')
> > --- a/policy/modules/contrib/libmtp.te  1970-01-01 01:00:00.000000000 +0100
> > +++ b/policy/modules/contrib/libmtp.te  2017-05-13 23:05:11.151021134 +0200
> > @@ -0,0 +1,61 @@
> > +policy_module(libmtp, 1.0.0)
> > +
> > +##############################
> > +#
> > +# Declarations
> > +#
> > +
> > +## <desc>
> > +##     <p>
> > +##     Determine whether libmtp can
> > +##     manage the user home directories
> > +##     and files.
> > +##     </p>
> > +## </desc>
> > +gen_tunable(libmtp_enable_home_dirs, false)
> > +
> > +attribute_role libmtp_roles;
> > +
> > +type libmtp_t;
> > +type libmtp_exec_t;
> > +userdom_user_application_domain(libmtp_t, libmtp_exec_t)
> > +role libmtp_roles types libmtp_t;
> > +
> > +type libmtp_home_t;
> > +userdom_user_home_content(libmtp_home_t)
> > +
> > +##############################
> > +#
> > +# libmtp local policy
> > +#
> > +
> > +allow libmtp_t self:capability2 wake_alarm;
> 
> curious question: does the application really need this or might this
> be related to https://github.com/SELinuxProject/selinux-kernel/issues/28
> 
> > +
> > +allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
> > +allow libmtp_t self:fifo_file rw_fifo_file_perms;
> > +
> > +allow libmtp_t libmtp_home_t:dir manage_dir_perms;
> > +allow libmtp_t libmtp_home_t:file manage_file_perms;
> > +allow libmtp_t libmtp_home_t:lnk_file manage_lnk_file_perms;
> > +userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")

everything indicates that it only creates a file , so why permit it to create dirs and lnk files as well?

> > +
> > +dev_read_sysfs(libmtp_t)
> > +dev_rw_generic_usb_dev(libmtp_t)
> > +
> > +files_read_etc_files(libmtp_t)
> > +
> > +locallogin_use_fds(libmtp_t)
> 
> for console applications, I am using domain_use_interactive_fds to
> include newrole_t and others
> 
> > +
> > +miscfiles_read_localization(libmtp_t)
> > +
> > +userdom_use_user_terminals(libmtp_t)
> 
> userdom_use_inherited_user_terminlas ?
> 
> > +
> > +tunable_policy(`libmtp_enable_home_dirs',`
> > +       userdom_manage_user_home_content_dirs(libmtp_t)
> > +       userdom_manage_user_home_content_files(libmtp_t)
> > +       userdom_user_home_dir_filetrans_user_home_content(libmtp_t, { dir file lnk_file })

here youre specifying a type transition for a link file but libmtp_t is not allowed to create user home content lnk files

> > +')
> > +
> > +optional_policy(`
> > +       udev_read_pid_files(libmtp_t)
> > +')
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170514/deb8e4df/attachment-0001.bin 


More information about the refpolicy mailing list